[Samba] AD authentication issue in Samba (kerberos errors)
Paul R. Ganci
ganci at nurdog.com
Thu Mar 21 01:56:10 UTC 2019
On 3/20/19 9:40 AM, Rowland Penny via samba wrote:
> On Wed, 20 Mar 2019 17:22:36 +0200
> "linux.il via samba" <samba at lists.samba.org> wrote:
>> Thank you, I'll try to implement your suggestions.
>> But it definitely worked without winbind.
>> Then your 'Samba' problem isn't a Samba problem :-)
>> AS far as Samba is concerned, you have always needed to run winbind on a
>> Unix ads domain member. It became mandatory from 4.8.0
I will also second that windbind is not necessary on a member server. I
have 4 Centos 7 member servers and none of them have winbind running on
them. Each of these use SSSD and have absolutely no problems. These
systems have been operating without winbind for years. When I updated to
4.8 and 4.9 on the Samba AD which does use winbind the member servers
never were updated to use winbind. So I don't know what circumstances it
is deemed that winbind is necessary on a domain member. I can just
confirm like the op that it is not necessary on any of the domain
members I am running.
Having said that I explicitly run:
CentOS Linux release 7.6.1810 (Core)
The version of Centos runs on every linux box I have. On the AD I run
the Sernet packages for Centos:
> rpm -qa | grep sernet
On each member server I have these RPMs from the Centos repository
>rpm -qa | grep samba
None of these samba packages contain winbind"
> rpm -ql `rpm -qa | grep samba` | grep winbind
The /var/run/winbindd directory is only where the process ID would end
up if I were running winbind. The actual Centos RPM containing swinbind
is in package samba-winbind which as you can see is not listed on the
member server samba package list.
Here is the result of a ps on one of my member servers:
> ps auxww | grep win
prg-118+ 21497 0.0 0.0 112708 972 pts/2 S+ 19:38 0:00 grep
Note there is no winbindd running.
Moreover here is the result of a getent passwd user (I sanitized the
user) on a member server not running winbindd:
> getent passwd user:
Here is the the samba config /etc/smb.conf from the same member server:
security = ads
realm = MYHOME.EXAMPLE.COM
workgroup = MYHOME
log file = /var/log/samba/%m.log
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 30000-100000
idmap config MYHOME:backend = ad
idmap config MYHOME:schema_mode = rfc2307
idmap config MYHOME:range = 10000-29999
Note that the user ID falls in my the domain MYHOME range so it is
indeed an AD user.
So maybe someday I will have problems but using SSSD with a proper setup
allows me to use a Samba AD without having to run winbind on the member
server. I will continue to operate like that until the day I have an
issue so I will keep this message handy in a note book just in case. But
I firmly believe that a proper SSSD setup precludes the need for winbind
at this point in time.
Paul (ganci at nurdog.com)
More information about the samba